our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

Motorola believes it has an answer in its CipherNET 1000 Certificate Authority Server 2.0, a Web-based digital-certificate management tool. To learn how well it handles digital certificate issues, I tested a late beta version of CA Server 2.0, along with the included Netscape Directory Authentication Module and Registrar 2.0. I was pleasantly surprised by CipherNET's scalability and ease of use, and by how robust it was. In the lab, it proved to be a highly secure and reliable management tool.

Certifying Users CipherNET is intended primarily for e-commerce security, and essentially is a special-purpose, limited-function Web server running in a secure environment. During our tests, it issued X.509 v3 certificates as I used its browser-based Registrar component, which sent over-the-wire requests to the server for each certificate operation I selected. Encryption prevented me from seeing the format of the requests, but the CA Server's behavior suggested that it used OCSP (Online Certificate Status Protocol), which consists of an HTTP 1.0 URL, followed by a sequence of keyword-value pairs, to transport the requests.

CipherNET stored the key and certificate data in an Oracle 7.3 database, using PKCS #12 software tokens. It published the public key information in Netscape's Directory Server, a SuiteSpot component based on LDAP. From Directory Server, I was able to transport the public key certificate information via either floppy disk or SMTP-based e-mail. While I successfully set up multiple Registrar sites, each site had only a single layer of administrative functionality; CipherNET did not offer hierarchical delegation of certificate management responsibilities.

As I issued and revoked certificates, CipherNET let me encrypt them with either RSA Data Security's public key technology or Certicom Corp.'s elliptic curve cryptographic (ECC) technology.

CipherNET marks Motorola's entry into the commercial software market. While the company is best known for its radio, wireless telephone, semiconductor, paging and air traffic control hardware-based products, for several years Motorola quietly has been producing Data Encryption Standard (DES)- and RSA-based security software under contract to U.S. government agencies such as the NSA (National Security Agency). CipherNET embodies Motorola's recent experience with security software. CipherNET, the Netscape Directory Authentication Module and the Registrar component run on Windows NT 4.0 and require preinstallation of Oracle 7.3 and Netscape SuiteSpot.

A Tough Nut To Crack Security is clearly CipherNET's strong suit. During installation, CipherNET examined the NT Server configuration to ensure that it conformed to a stringent set of requirements. For example, the CA Server only would install itself on a Windows NT 4.0 machine that had Service Pack 3 applied without the Option Pack. CipherNET's installer disabled all of NT Server's built-in network services, such as the FTP and e-mail functions. Furthermore, the server was able to have only one network adapter, had to be a standalone server (not a primary domain controller) within a domain, must have had all drives formatted with NTFS (Windows NT File System) and must have been assigned a fixed IP address. Passwords controlled access to the administrative functions within CipherNET.

On my network, CipherNET confabulated all its network transmissions with IETF PKIX (Public Key Infrastructure X.509) protocols using 220-bit encryption. Using Network Associates' Sniffer software to eavesdrop on the dialog between the Registrar and CipherNET produced an unintelligible display; repeated efforts to spoof phony CA Server requests failed miserably. The NT Server environment imposed by CipherNET did not enable network drive sharing or running a Web server (such as Microsoft's Internet Information Server) alongside CipherNET. Even after CA Server installation, it refused to issue certificates once it detected that I had reconfigured the NT machine as a general-purpose Web server by installing Internet Information Server.

Because CipherNET ran on the same computer as the Oracle RDBMS (relational database management system) database, it configured Oracle not to run the remote data access middleware TNS Listener module. CA Server accessed Oracle directly via program-to-program links within the server machine, and I was unable to create a connection to the database from a network client computer. Similarly, my attempts to access CipherNET's internal Web server without using the Registrar component failed. When placed in a locked room, thus ensuring physical security, CipherNET became a hands-off, secure certificate issuer.

Intuitive Interface CipherNET's easy-to-use browser-based administrative interface was painless and intuitive. In tests, the product was robust and reliable when configured to use RSA encryption. Choosing elliptical curve encryption revealed some programming errors, but Motorola said it was aware of the problem and that it would be fixed before the release of the final version.

CipherNET performed with alacrity in the lab, even in its beta form, and I found it scaled well within the confines of the range of Intel-based computers that run Windows NT. I noticed that CipherNET spawned multiple threads and managed several Oracle database connections to handle large volumes of certificate requests. For even larger workloads, Motorola says it's working on a Solaris- (Unix-) based version of the product.

Barry Nance, a computer analyst and consultant for 28 years, is the author of Introduction to Networking, 4th Edition (Que, 1997) and Client/Server LAN Programming (Que, 1994). Send your comments on this article to him at barryn@erols.com.